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canearr^ 
a danger ! 

Experts are warning i 
about viruses in ; 
infected attachments \ 

BY DAVID L.Wilson V 

Mercury News Washington Bureau 

WASHINGTON — The holiday season is often a 
time when computer usei-s pass around amusing 
electronic animalioi is via e-mail. Although most of 
these attacluuents are liannless, some may hide 
' destructive computer virus- 

^^Indeed, anti-virus watch- ^^JT ^S^ MT- 
dogs identified a new virus. JS-^5TL|ft; 
this week that masquerades P|I||RI 
as an innocuous bunch of I 
digital photos but actually ' J^^^^ ] 
plants a time bomb that will ^^s^^^ 
erase the computer's hard ^^^^^Mw ! 
drive on Jan. 1,2000. .1^^^ ] 

Because that's the same " 
date that tlie y2K bug is ex- 
pected to cause many comput- Virus fighters 

er systems to crash, the virus j 

might fool users into believing expect more j 

they have a Y2K problem. 

Virus fighters expect more viruses 

viruses linked to Y2K to — • v 

emerge as Jan. 1 approaches, linked to Y2K 

and they are once again beg- - 

ging computer users to avoid to emerge as^ 

opening e-mailed attach- * 

ments. Jan. 1 * 

"We're tellmg people to be 

very wary of electronic Clirist- approaches. ' 
mas cards," said Sal Viveros, a 
virus expert with Network As- 
sociates Inc., based in Santa Clara. 

The Mypics worm, as this latest threat is called, 
arrives attached to what appears to be e-mail from 
a friend or associate that says, "Here's some pic- 
tures for you!" 

Opening the attached file, Pics4You.exe, will m- 
fect your computer with the virus, which will at- 
See VIRUSES, Page 3C 
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tempt to mail itself to 50 people it 
finds in your Microsoft Outlook e- 
mail address book. It will also . 
change the home page of your Mi- 
crosoft Internet ^^lorer Web 
browser to a pornographic site. 

The real damage occurs Jan. 1, 
when the virus wiU change the com- 
puter's most basic software and at- 
tempt to erase the hard drive. 

The increasing frequency of alerts 
relatiiig to tilings like electronic vi- 
ruses is prompting renewed calls for 
safe computing, but few experts ex- 
pect users to change their habits. 

"It would be great if everybody 
followed the rule: Never open e-mail 
attachments if you can help it," said 
Carey Nachenberg, chief researcher 
at Symantec's anti-viral research 
center. "But I don't think tliey will." 

In general, just looking at an infec- 
ted e-niail can't hurt; users have to 
do something else to activate the vi- 
i-us and infect their system- Typical- 
ly, a virus comes as an attachment to 
e-mail, such as a document that can 
be read only with a word processor 
like Microsoft Word. 

Clicking on the attachment to 
read tlie docmiient can infect the us- 
er's macliine witli any virus that was 
lurking on tlie sender's machine. A 
virus is dangerous because it can al- 
ter or destroy data 

Until recently, experts advised us- 
ers to simply avoid opening attach- 
ments sent by people they didn't 
know. Unfortunately, the most trou- 
blesome viruses today spread by 
fooling people into believing the 
document was sent by a friend. 

For instance, Mypics attempts to 
mail copies of itself to anyone in the 
user's e-n^ address book. Anyone 
receiving such a missive from, say, 
their brother, nught open Uiat at- 
tachment witliout thinking about it 

Most software vendors are awaie 
of the problem and take steps to get 
around it For instance, Blue Moun- 
tain Arts, a purveyor of electronic 
greeting cards, doesn't send the card 
via e-mail, just a Web address, which 
can be accessed though any brows- 
. er. 

Jared P. Schutz, the company's ex- 
ecutive director, said that's the only 
way to be safe. "I would highly rec- 
ommend that people avoid opening 
attached files, even from people that 
they, know," he said. 



M computer virus ror uirisimas 

Many computer viruses travel as inno5gn^looking files attached toj 
electronic mail. With the holiday seaso^^n us, people ofteri e-maiH 
electronic greetings and photographsl^^ids and family membersj 
but not every file that comes with an e-nrail is safe.This year posesjj 
special hazards, according to anti-virus experts, because many viru^ 
writers may use the Y2K bug to hide their mischief.This vyeek^ 
virus companies detected a new virus> njrned Mygics^^^^^^ 
erase a computer's^ hard^yejin 

- _Y6u gert an e-maitwi^ 
^ attachment,nam|d:|i^ 




2W0RM REPRODUCES - 
If Vou open the attachment the wbji^ 
will send itself to 50 people in yourl** 



-;.^Micrdsqp^ook^ 
;^^lso;cfi^Sgmehorfie^papi^ 
Microsoft Internet Explorer browseg 
to.a'pornographic sb^SfJ??^^' 

WORMmiTS ' 

On Jan. 1, 2000, the worm will overwrite 
key system data..The user will see an 
apparent Y2K-related error when ^ - . 
starting up the computer. The worm will . | 
then destroy all data on the hard drive: 

HOW TO PROTECT YOURSELF 

Avoid opening attachments to e-mail if possible. If you want the attachment 
call the sender and verify its contents before opening it Update vims 
protection software weekly and use it to scan attachments. Back up critical 
data regularly. 



Source: Symantec Corp. 

That*s the standard advice, but no- 
body expects attachments to disap- 
pear tomorrow, despite the warn- 
ings. 

"I can*t tell you whether we Ve still 
got a lot of people who just haven't 
gotten the message — newbies — or 
whetlier it's people who. should 
know better but do it anyway," said 
Sandra Sparks, director of the Ener- 
gy Department's Computer Incident 
Advisory Capability, which works to 
ensure the security of government 
computer systems. "Maybe it's the 
same kind of thing that happens with 
people who don't wear a seat belt" 

Althougli many corporations scan 
all incoming e-mail and destroy any 
known virus before it's delivered in- 
to an en^)loyee's mailbox, very few 
Internet service providers offer such 
a feature, largely because examining 
eveiy single data packet that flows 
into the pipes can slow service. 

So for now, anti-virus protection 
is largely the responsibility of indi- 
viduals. 

To protect against all viruses, ex- 
perts say virus protection software 
should be updatedweeldy^_ 



MERCURY NEWS ^ 

Attachments generally should be ' 
avoided If you receive an attachr. 
ment that you want, contact the. 
sender and ask if it was deliberately * 
sent If possible, ask that the infor- ^ 
malion in the attachment be copied, 
and pasted' into a plain e-mail file 
and resent, or pasted on a Web page. : 
J If that's not possible and you must^' 
open the attachment, make sure ifs * 
scanned first with an updated anti-vi;^ 
ral program. 

Even with such precautions, it's 
still possible for a new, fast-moving 
virus to get through your defenses. 
The only real protection users have 
is to regularly make copies of the da- 
ta on their hard drive. 

"Back up your critical stuff . at 
least once a week," said Sparks. 
know tiiatfs annoying, and I know it^: 
takes time. But compare that^; 
amount of time vs. the amount of 
time you'd spend trying to rebuild 
your system, or your company, and* 
thafs a very small investment" 

CmUki David Wilson at (202) 
383-6020 or at 

dvnlso 7i@sjrnercury.com. - tv. 
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step 1: 

A first computer 203 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 205 thereby creating 
a list of e-mail users 206. 




List of E-mail Users 206 



First Computer 203 



E-mail System 205 




Second Computer 208 



Third Computer 210 




Web Page 214 



Step 2: 

The first computer 203 loads and 
executes the second program that 
sends the list of e-mail users 206 
to a second computer 208. 




< > 
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step 3: 

The second computer 208 loads and 
executes the third program that: 

specifies within the mock computer vinjs 

attachment 202 the e-mail 

address of the third computer 210 

as the recipient of the e-mail that is sent 

if the mock computer virus attachment 202 

is opened. 

sends the list of e-mail users 206 to 
the third computer 210. 

and sends an e-mail with the mock 
computer virus attachment 202 
to each e-mail address on the list i.e. 
each user 211. 
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Step 4: 

The third computer 210 loads and 
executes the fourth program which 
receives the e-mails from the users 
21 1 that open the mock computer 
virus attachment 202 and creates a 
new list of e-mail users with their 
respective e-mail addresses. 

The new list of e-mail users that 
opened the mock computer virus 
attachment 202 and those that did 
not open it, may be displayed as 
results 2,12 on a web page 214 or 
other report on the network. 
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step 1: 

An e-mail user behavior 
modification server 301 
provides a program 302 
that can be downloaded to 
a computer 303. 




Computer 303 



Program 302 



E-mail User Behavior 
Modification Server 301 



E-mail System 305 




Administrator / 
i\/lanagement310 
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User 307 User 307 User 307 




Web Page 309 



Step 2: 



The program 302 extracts a 
list of e-mail addresses 304 
from the e-mail system 305. 




List of E-mail 
Addresses 304 



Computer 303 



E-mail System 305 



E-mail User Behavior 
Modification Server 301 




Administrator/ 
Management 310 
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step 3: 

The program 302 sends the 
list of e-mail addresses 304 
from the computer 303 
to the e-mail user behavior 
modificatiOT server 301. 




Computer 303 



List of 
E-mail 
Addresses 
304 



E-mail System 305 




E-mail User Behavior 
Modification Server 301 



Administrator/ 
Management 310 
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Step 4: 

The e-mail user behavior 
modification server 301 sends an 
e-mail with the mock computer virus 
attachment 306 to each e-mail 
address on the list i.e. each user 307. 
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E-mail System 305 
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step 5: 

The mock computer virus attachment 306 

will send an e-mail to the e-mail 

address of the e-mail user 

behavbr modification server 301 

if the mock computer virus attachment 306 

is opened. 

The e-mail user behavior modification 
server 301 receives the e-mails from 
users 307 that open the mock computer 
virus attachment 306 and compiles a list 
of users 308 that opened the mock 
computer virus attachment 306. 
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Step 6: 

The list of users that opened 
the mock computer virus attachment 306 
and the users that were sent the e-mail 
with the mock computer virus attachment 306 
but did not open it are displayed as 
results 308 on a web page 309 or 
sent as an e-mail to the administrator/ 
management 310. 
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step 1: 

An e-mail user behavior 
modification server 401 
provides a program 402 
that can be downloaded to 
a computer 403. 



E-mail User Behavior 
Modification Server 401 



Program 402 
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Step 2: 



The program 402 extracts a 
list of e-mail addresses 404 
from the e-mail system 405. 
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step 3: 



The computer 403 sends an 
e-mail with the mock computer virus 
attachment 406 to each e-mail 
address on the list i.e. each user 407. 
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Step 4: 

The mock computer virus attachment 406 
will send an e-mail to the e-mail 
address of the e-mail user 
behavior modification server 401 
if the mock computer virus attachment 406 
is opened. 

The e-mail user behavior nrodification 
server 401 receives the e-mails from 
users 407 that open the mock computer 
virus attachment 406 and compiles a list 
of users that opened the mock 
computer virus attachment 406. 













O B O □ 





E-mail User Behavior 
Modification Server 401 



E-mail System 405 





Computer 403 



Administrator/ 
Management 410 



Opened mock computer 
virus attachment 406 



oy 

User 407 User 407 User 407 



Drawing 4, page 2 of 3 




Web Page 409 



Drawing 4 



step 5: 



The list of users that opened E-mail User Behavior 

the mock computer virus attachment 406 Modification Server 401 
and the users 407 that were sent the e-mail 
with the mock computer virus List 
attachment 406 but did not open it 
are displayed as results 408 on a 
web page 409 or sent as an e-mail to 
the administrator / management 410. 
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step 1: 



A first computer 503 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 505 thereby creating 
a list of e-mail users 506. 



The first computer 503 informs 
the fourth computer 515 
of the number or type of 
e-mail addresses 516 it 
extracted. 




List of E-mail Users 506 
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Step 2: 

The first computer 503 loads and 
executes the second program that 
sends the list of e-mail users 506 
to a second computer 508. 



The fourth computer 515 
gives authorization 517 to the 
first computer 503 to send 
the list of e-mail users 506 
to the second computer 508. 



E-mail System 505 



Network 501 




Second Computer 508 



Third Computer 510 



Fourth Computer 515 
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step 3: 

The second computer 508 loads and 
executes the third program that: 

specifies within the mock computer virus 
attachment 502 the e-mail address of the 
third computer 510 as the recipient of the 
e-mail that is sent if the mock computer 
virus attachment 502 is opened; 
upon receipt of authorization 517 
sends the list of e-mail users 506 to 
the third computer 510; 
and upon receipt of authorization 517 
sends an e-mail with the nrock 
computer virus attachment 502 
to each e-mail address on the list 
i.e. each user 511. 

AuthorizsrfTon 517 
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Network 501 
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mail wit 1 mock 
fcomputei virus 
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List of E-mail 
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Third Computer 510 
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Step 4: 

The third computer 51 0 loads and 
executes the fourth program which 
receives the e-mails from the users 
51 1 that open the mock computer 
virus attachment 502 and creates a 
new list of e-mail users with their 
respective e-mail addresses. 

The new list of e-mail users that 
opened the mock computer virus 
attachment 502 and those that did 
not open it, is sent as results 512 
to the fourth computer 515. 



Fourth Computer 515 
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step 5: 



The fourth computer 515 gives 
authorizatbn 517 to the third 
computer 510 to post the 
results 512 to the web page 514 



User 511 User 511 User 511 



E-mail System 505 




Fourth Computer 515 



Web Page 514 



Drawing 5, page 3 of 3 



